Merge pull request 'Setup platon via Ansible (minus asterisk)' (!56) from platon-setup into master

Reviewed-on: https://gitea.n39.eu/Netz39_Admin/netz39-infra-ansible/pulls/56
Reviewed-by: dkdent <dkdent@netz39.de>

files/platon/i2cspeed.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# https://gist.github.com/ribasco/c22ab6b791e681800df47dd0a46c7c3a
+
+var="$(xxd -ps /sys/class/i2c-adapter/i2c-1/of_node/clock-frequency)"
+var=${var//[[:blank:].\}]/}
+printf "%d\n" 0x$var

files/platon/mosquitto-local.conf

@@ -0,0 +1,2 @@
+listener 1883
+allow_anonymous true

files/platon/reboot.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games'
+echo 'start i2c-foo'
+sudo modprobe i2c_dev
+sudo modprobe i2c_bcm2708
+echo 'starting log'
+tmux new-session -s status -d 'sudo less /var/log/shuttercontrol.log'
+cd /home/pi/netz39_rollladensteuerung/raspberry/shuttercontrol 
+echo 'switch-on.sh'
+../switch-on.sh
+cd /home/pi
+echo 'start shuttercontrol'
+tmux new-window -t status:1 'cd /home/pi/netz39_rollladensteuerung/raspberry/shuttercontrol && ./shuttercontrol.sh'
+echo 'start watchdog'
+tmux new-window -t status:2 'cd /home/pi/netz39_rollladensteuerung/raspberry/doorcontrol && ./door-with-spacestatus.sh'
+#tmux new-window -t status:2 'cd /home/pi/netz39_rollladensteuerung/raspberry/door-watchdog && python3 ./door-watchdog.py'
+
+echo 'start door-sound.sh'
+tmux new-window -t status:3 'cd /home/pi/netz39_rollladensteuerung/raspberry/doorcontrol && ./door-sound.sh'
+echo 'start ic3-client'
+tmux new-window -t status:4 'cd /home/pi/netz39_xmpp_space_control/i3c_client && build/i3c_client --foreground'
+echo 'start asterisk abuse check'
+tmux new-window -t status:5 'cd /home/pi/netz39_rollladensteuerung/raspberry/asterisk && sudo ./check-abuse.sh'
+echo 'start asterisk console'
+tmux new-window -t status:6 'sudo asterisk -vvvr'
+echo 'start door service'
+tmux new-window -t status:7 'cd /home/pi/netz39_rollladensteuerung/raspberry/door-service && python3 door-service.py'
+echo 'start mqtt-clock'
+tmux new-window -t status:8 'cd /home/pi/mqtt-tools/agents && ./mqtt-clock'
+
+#echo 'start ampel controller'
+# This does not work as intended xD
+#tmux new-window -t status:9 'cd /home/pi/netz39_space_notification/raspberry/ledcontrol && ./ledcontrol'
+
+
+#echo 'start shuttercontrol-service (experimental)'
+#tmux new-window -t status:9 'cd /home/pi && python3 ./shuttercontrol-service.py'

files/platon/sesam-door-open.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+echo "`date` : $SSH_KEY_OWNER" >> /home/sesam/door_open.log
+ssh pi@localhost -i /home/sesam/.ssh/id_rsa  \
+    -t /home/pi/sesame-open.sh
+
+

files/platon/sesame-open.sh

@@ -0,0 +1,5 @@
+#/bin/bash
+
+/home/pi/netz39_rollladensteuerung/raspberry/doorcontrol/door-open.sh
+/home/pi/netz39_rollladensteuerung/raspberry/shuttercontrol/doorshutter-open.sh
+

files/platon/syslog-shuttercontrol.conf

@@ -0,0 +1,4 @@
+if $programname == 'lockfailsafe'   then /var/log/shuttercontrol.log
+if $programname == 'shuttercontrol' then /var/log/shuttercontrol.log
+if $programname == 'doorservice' then /var/log/shuttercontrol.log
+& ~

files/platon/unstuck.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+logger -t unstuck "unstuck $(date)"
+
+killall tmux
+gpio mode 2 output
+gpio mode 3 output
+gpio write 2 0
+gpio write 3 0
+sudo modprobe -r i2c_dev
+sudo modprobe -r i2c_bcm2708
+
+sleep 1
+~/reboot.sh

files/sysctl-no-ipv6.conf

@@ -0,0 +1,3 @@
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1

inventory.yml

@@ -76,7 +76,8 @@ all:
       server_admin: "admin+unicorn@netz39.de"
     platon.n39.eu:
       server_admin: "admin+platon@netz39.de"
-      ansible_ssh_user: pi
+      mac: "b8:27:eb:8f:98:2f"
+      gatekeeper_user: pi
     radon.n39.eu:
       server_admin: "admin+radon@netz39.de"
     krypton.n39.eu:

platon.yml

@@ -7,3 +7,251 @@
     ble_keykeeper_dir: '/home/pi/netz39_ble_keykeeper'
   roles:
     - role: ble-keykeeper-role
+
+  tasks:
+    - name: Install packages needed for the system
+      # This is a list of all packages,
+      # unless they are installed by a specific role
+      ansible.builtin.apt:
+        state: present
+        name:
+          # Should come from ble-keeper-role
+          # see https://github.com/netz39/ble-keykeeper-role/issues/4
+          - python3-pip
+          # This is needed for the user-executed tasks
+          - acl
+          # Regular packages
+          - tmux
+          - git-core
+          - cmake
+          - build-essential
+          - libmosquitto-dev
+          - libconfig-dev
+          - mpg123
+          - mosquitto
+          - i2c-tools
+
+
+    - name: Set MAC address for proper DHCP recognition
+      # Uses mac variable from inventory
+      ansible.builtin.template:
+        src: templates/network-interfaces-dhcp-mac.j2
+        dest: /etc/network/interfaces.d/platon-mac
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Disable IPv6
+      # Because it is not working....
+      ansible.builtin.copy:
+        src: files/sysctl-no-ipv6.conf
+        dest: /etc/sysctl.d/99-systcl-no-ipv6.conf
+        owner: root
+        group: root
+        mode: '0644'
+
+
+    ### Mosquitto for local MQTT
+
+    - name: Local configuration for Mosquitto
+      ansible.builtin.copy:
+        src: files/platon/mosquitto-local.conf
+        dest: /etc/mosquitto/conf.d/platon-local.conf
+        owner: root
+        group: root
+        mode: '0644'
+      notify: restart mosquitto
+
+
+    ### Sesam for SSH access
+    #
+    # Make sure to provide the .ssh/authorized_keys from backup, if needed
+
+    - name: Ensure sesam user is there
+      ansible.builtin.user:
+        name: sesam
+        shell: /home/sesam/door-open.sh
+        groups: i2c
+        append: yes
+        generate_ssh_key: yes
+
+    - name: Get the SSH public key for sesam
+      ansible.builtin.slurp:
+        src: /home/sesam/.ssh/id_rsa.pub
+      register: sesam_key
+
+    - name: Add SSH public identity as authorized key to pi
+      ansible.posix.authorized_key:
+        user: "{{ gatekeeper_user }}"
+        state: present
+        key: "{{  sesam_key['content'] | b64decode }}"
+        comment: "Sesam access"
+
+    - name: Copy door-open.ssh for sesam
+      ansible.builtin.copy:
+        src: files/platon/sesam-door-open.sh
+        dest: /home/sesam/door-open.sh
+        owner: sesam
+        group: sesam
+        mode: "0755"
+
+
+    ### Gatekeeper user (pi for now)
+    #
+    # All the gatekeeping / door control stuff is here!
+
+    - name: Ensure gatekeeper user is there
+      ansible.builtin.user:
+        name: "{{ gatekeeper_user }}"
+        groups: dialout,audio,plugdev,input,netdev,i2c,gpio
+        append: yes
+
+    - name: Copy management scripts
+      ansible.builtin.copy:
+        src: "files/platon/{{ item }}"
+        dest: "/home/{{ gatekeeper_user }}/{{ item }}"
+        owner: "{{ gatekeeper_user }}"
+        group: "{{ gatekeeper_user }}"
+        mode: "0755"
+      loop:
+        - i2cspeed.sh
+        - reboot.sh
+        - unstuck.sh
+        - sesame-open.sh
+
+    - name: Install start-up cron
+      ansible.builtin.cron:
+        name: Start the gatekeeper services
+        job: "/home/{{ gatekeeper_user }}/reboot.sh"
+        user: "{{ gatekeeper_user }}"
+        special_time: reboot
+
+    - name: Download wiringPi library
+      # WiringPi needs to be installed, but that library seems to be
+      # obsolete. We download something and hope it works...
+      ansible.builtin.get_url:
+        url: https://project-downloads.drogon.net/wiringpi-latest.deb
+        dest: "/home/{{ gatekeeper_user }}/wiringpi-latest.deb"
+        mode: "0644"
+        force: no
+      register: wiringPi_download
+
+    - name: Install wiringPi library
+      ansible.builtin.apt:
+        state: present
+        deb: "/home/{{ gatekeeper_user }}/wiringpi-latest.deb"
+      when: wiringPi_download.changed
+
+
+    ### Rollladensteuerung
+
+    - name: Clone netz39_rollladensteuerung initial checkout
+      # Do this as the gatekeeper user!
+      become: yes
+      become_user: "{{ gatekeeper_user }}"
+      ansible.builtin.git:
+        repo: https://github.com/netz39/rollladensteuerung.git
+        dest: "/home/{{ gatekeeper_user }}/netz39_rollladensteuerung"
+        clone: yes
+        update: no
+
+    - name: Compile dootstate agent
+      # Do this as the gatekeeper user!
+      become: yes
+      become_user: "{{ gatekeeper_user }}"
+      ansible.builtin.shell:
+        chdir: "/home/{{ gatekeeper_user }}/netz39_rollladensteuerung/raspberry/doorstate"
+        cmd: make
+        creates: "/home/{{ gatekeeper_user }}/netz39_rollladensteuerung/raspberry/doorstate/doorstate"
+
+    - name: Compile shuttercontrol
+      # Do this as the gatekeeper user!
+      become: yes
+      become_user: "{{ gatekeeper_user }}"
+      ansible.builtin.shell:
+        chdir: "/home/{{ gatekeeper_user }}/netz39_rollladensteuerung/raspberry/shuttercontrol"
+        cmd: make
+        creates: "/home/{{ gatekeeper_user }}/netz39_rollladensteuerung/raspberry/shuttercontrol/shuttercontrol"
+
+    - name: Create directory for tyr sounds
+      ansible.builtin.file:
+        path: "/home/{{ gatekeeper_user }}/tyr/sounds"
+        state: directory
+        owner: "{{ gatekeeper_user }}"
+        group: "{{ gatekeeper_user }}"
+        mode: "0755"
+
+
+    ### MQTT Tools
+
+    - name: Clone MQTT tools (initial checkout)
+      # Do this as the gatekeeper user!
+      become: yes
+      become_user: "{{ gatekeeper_user }}"
+      ansible.builtin.git:
+        repo: https://github.com/penguineer/mqtt-tools.git
+        dest: "/home/{{ gatekeeper_user }}/mqtt-tools"
+        clone: yes
+        update: no
+
+    - name: Compile MQTT clock
+      # Do this as the gatekeeper user!
+      become: yes
+      become_user: "{{ gatekeeper_user }}"
+      ansible.builtin.shell:
+        warn: false
+        chdir: "/home/{{ gatekeeper_user }}/mqtt-tools"
+        cmd: |
+          mkdir build
+          cd build
+          cmake ..
+          make
+          cp agents/mqtt-clock ../agents/mqtt-clock
+        creates: "/home/{{ gatekeeper_user }}/mqtt-tools/agents/mqtt-clock"
+
+
+    ### Syslog setup for shuttercontrol.log
+
+    - name: Check if rsyslog is actually installed
+      ansible.builtin.package:
+        name: rsyslog
+        state: present
+      check_mode: true
+      register: rsyslog_check
+
+    - name: Fail if rsyslog is missing
+      ansible.builtin.fail:
+        msg: "Please make sure that rsyslog is installed!"
+      when: rsyslog_check is not succeeded
+
+    - name: Make sure shuttercontrol.log exists
+      ansible.builtin.copy:
+        content: ""
+        dest: /var/log/shuttercontrol.log
+        # force=no ensures the file is created only if it does not exist
+        force: no
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Copy syslog setting for shuttercontrol
+      ansible.builtin.copy:
+        src: files/platon/syslog-shuttercontrol.conf
+        dest: /etc/rsyslog.d/20-shuttercontrol.conf
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart rsyslog
+
+  handlers:
+    - name: restart mosquitto
+      service:
+        name: mosquitto
+        state: restarted
+        enabled: yes
+
+    - name: restart rsyslog
+      service:
+        name: rsyslog
+        state: restarted
+        enabled: yes

templates/network-interfaces-dhcp-mac.j2

@@ -0,0 +1,6 @@
+# Set a specific MAC address to enable DHCP recognition
+allow-hotplug eth0
+iface eth0 inet dhcp
+    hwaddress ether {{ mac }}
+
+# THIS FILE IS MANAGED VIA ANSIBLE!